Common Sense Media Misses the Mark on COPPA

Recently Common Sense Media posted a summary of COPPA, the Children’s Online Privacy Protection Act, and unfortunately the piece had a number of fundamental misunderstandings about this key piece of privacy legislation.

Schools rightfully have a high regard for the information that Common Sense education publishes about student safety and digital citizenship, and are likely to presume that all of the privacy content from the education group is of similar quality. That is not always the case for privacy information. I know Common Sense Media has several very knowledgeable experts on data privacy and it is unfortunate that this expertise does not always seem to be used when editorial information on privacy is published.

First the article refers to COPPA as “a law dealing with how websites….collect data and personal information about kids under the age of 13.” This is incorrect, COPPA deals with information collected from children under the age of 13. (By contrast FERPA covers data directly about a student, maintained by the school or school’s agent).

Second, in listing three things about COPPA, the article states that under COPPA a vendor must “Not use kids’ data for marketing-related purposes.” COPPA says no such thing, in fact COPPA specifically provides mechanisms where parents approve this collection and use-that is kind of the whole point of COPPA.

Lastly the article suggests that “COPPA compliance might depend more on how teachers and students actually use the tool at the classroom level”. There is no basis in the COPPA regulation or FAQ that would give the impression that COPPA compliance is dependent on individual use. Determination is based on if a site is “child directed” or if the vendor has actual knowledge.

Rather that citing any primary sources on COPPA, the article attempts to summarize a very complex point about school consent made in EdWeek’s “COPPA and Schools: The (Other) Federal Student Privacy Law, Explained.”  In doing this it fails and ends up providing misleading information through incomplete summarization.

What Do Schools Really Need to Know About COPPA?

  1. Schools should think of COPPA as a subset of their overall privacy responsibilities.  I would argue that schools should prioritize overall privacy for students of all ages, and compliance with FERPA. There are few cases where paying attention to this would not also aid in the schools’ role in vendors’ COPPA compliance.
  2. There are only a very narrow set of circumstances where a school can provide consent on behalf of the parent (for COPPA) and they are described in the COPPA FAQ as
    • Where the school is contracting for a service solely for the benefit of their students and for the school.
      • In my opinion, contracting means there is a legal and direct relationship between the school and the vendor and would likely not mean cases where the student signs up directly with the vendor and the school has no control and solely for the benefit means among other things, no commercial use
    • The operator has provided the school with all the notices required under COPPA, including a description of the types of personal information collected and  full notice of its collection, use, and disclosure practices. Based on these notices, the school should be able to answer these questions
      • What types of personal information will the operator collect from students?
      • How does the operator use this personal information?
      • What measures does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects?
      • What are the operator’s data retention and deletion policies for children’s personal information?
      • Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service? If so, the school cannot consent on behalf of the parent.
      • Does the operator enable the school to review, prevent further collection and have deleted the personal information collected from their students? If not, the school cannot consent on behalf of the parent.

 

 

 

 

Privacy Differences between Consumer Gmail and G Suite for Education

Updated on 12/19/2017 based on feedback and corrections from Kim Nilsson

This is a question that comes  up quite frequently. There are significant differences between the consumer Google accounts that are familiar to many parents, and the G Suite for Education accounts that are used in schools. Two significant differences are in the My Account settings and in Google search results.

Schools may also find it helpful to refer to Google’s suggested Notice template for schools when gathering parent or guardian consent and to this page for the privacy practices for specific Google services

User Data Collection settings in User Dashboard and My Account

The Google Dashboard allows the user to see and manage the data in their Google Account. The “My Account” link under the user profile provides users the ability to review their account settings, and view and manage collected data. There are additional settings and activity views under the more-activity page. There are significant differences in the data collected between consumer Gmail and G Suite for Education accounts. Additionally, G Suite for Education administrators must manually enable non-education Google services. If a service (e.g. Google + or Blogger) is not enabled by the G Suite Admin, the user see will the following message and will be unable to access the service.

The following table compares the differences in the My Account settings between consumer and G Suite accounts.

 

Category Consumer Accounts G Suite for Education Accounts
Services/Tools
Security Checkup Available Available
Privacy Checkup Available Available
Find Your Phone(details) Available Available
Signing in to Google
Sign in with your Phone Available Feature requires the following to be enabled by the G Suite Admin

Web & App Activity

Google Now for iOS and Android
Device Management->
Advanced Settings->
Other Google Services

Also requires the Google app for mobile be installed

Change Password Available/User Editable Available (See Note 1)
2-step verification Available Available (See Note 2)
Account recovery options
Recovery eMail Available/User Editable Available if enabled by Admins  (See Note 1)

Note This feature is  not an option if domain is using  Single Sign-On (SSO) or G Suite Password Sync. It also doesn’t work for users under the age of 18.

Recovery Phone Available/User Editable See above
Security Question Available/User Editable See above
Device Activity & Notifications
Recent security events Available Available
Recently used devices Available Available
Apps with access to your account

these are 3rd party services that the USER has given permission to access their account

Available/User Editable Available/User Editable
Saved passwords Available/User Editable Requires the Chrome Sync service to be enabled by the G Suite Admin for the user(G Suite Core).

more info

Allow less secure apps Available/User Editable This setting is managed by the district Admin.

more info

Personal Info and Privacy
Name Available/User Editable Editable by the G Suite Admin. Typically synced from a directory of student information system. There is a setting in the Admin control panel to allow/disallow users from editing their name
NickName Available/User Editable Editable only if Google + is enabled by the G Suite Admin for the user.
User Photo

Gmail setting

Available/User Editable Available/User Editable

There is a setting in the Admin control panel to allow/disallow users from editing their photo

Phone Available/User Used with Hangouts, Google voice or an android device Present if the user has provided a phone # and is enabled (e.g. when verifying an installed  mobile app)
Birthday Available/User Editable Required for G+ service

There is a setting in the Admin control panel (Directory) to allow/disallow users from editing their birthday.

For Education domains, birthday is never editable by end users except for in the Google+ upgrade flow, where it is always editable.

Birthday is only shown to people the user connects with on Google. Private by default, sharing is controlled in the about me settings

Gender Available/User Editable Required for G+ service

There is a setting in the Admin control panel (Directory) to allow/prevent users from editing their gender

By default, gender isn’t shared with other people who use Google services

About Me Available/User Editable Some information is restricted from editing
Google + Settings Available/User Editable Data and setting is user editable only if G+ is enabled for user by the G Suite Admin. This is not permitted for users under 13

There is an Admin option to automatically create G+ profiles for users

Shared Endorsements Available/User Editable Data and setting not present in G Suite for Education. Google does not use shared endorsements for G Suite accounts. G Suite Users will see a message saying “The setting you are looking for is not available for your account”
Blocked Users Available/User Editable The Blocked Users option appears if ANY of the following services are enabled for the user by the G Suite Admin:

-Core: Hangouts

-Non-Core: Google+, Photos, Maps, YouTube

See here for details

Location Sharing Available/User Editable OFF by default

Requires Location History service. This is a non-core service which is off by default and must be enabled by the district Admin

Search Settings Available/User Editable OFF by default

Editable, but SafeSearch is frequently managed by district DNS settings, chromebook policies, content filters or other means and not editable in those cases

Additionally, Google does not display ads or collect search data from Google searches from users that are signed in to a G Suite for Education account

Manage your Google activity
Activity controls
Web & App Activity Available/User Editable

OFF by default

Web & App Activity stores your searches and other things you do on Search, Maps and other Google services, including your location and other associated data.
When Web & App Activity is on, this data may be saved from any of your signed-in devices.

OFF by default

Requires the Web and App activity service (including Chrome browsing history) This is a non-core service which is off by default and must be enabled by the district Admin

The screen has a setting: “Include Chrome browsing history and activity from websites and apps that use Google services”

This additional setting cannot be enabled in G Suite for Education domains as indicated by the message

“Based on your organization, this setting is disabled.”

Note this is not the same as the LOCAL browser history that may be stored on a user’s computer

 YouTube Search History  Available/User Editable

ON by default

Requires YouTube service which must be enabled by the Admin

This is enable ON by default if YouTube is enable and the user creates an account

 YouTube Watch History  Available/User Editable

ON by default

Requires YouTube service which must be enabled by the Admin

This is enable ON by default if YouTube is enable and the user creates an account

Device Information

Device Information privately stores your contacts, calendars, alarms, apps, music, movies, books, and other content. It also stores the status of your devices – for instance, whether the screen is on, the battery level, the quality and duration of network connections like Wi-Fi and Bluetooth, touchscreen and sensor readings, and crash reports. Information is visible only to the user

more info 

Available/User Editable

OFF by default

When this setting is on, information may be saved from any device that uses your Google Account

User can review and delete information

Available/User Editable

OFF by default

When this setting is on, information may be saved from any device that uses your Google Account

User can review and delete information

Location History

 

Available/User Editable OFF by default

Requires Location History service which must be enabled by the Admin

Can be enabled by the user. User can review and delete data

Voice & Audio Activity

Activity from “OK Google”

Available/User Editable

OFFby default

OFF by default

Can be enabled by the user. User can review and delete recordings

Review activity
My Activity Available

My Activity show all activity collected based on the user’s settings for the following

-Web & App Activity
-Device Information
-Voice & Audio Activity
-YouTube Search History
-YouTube Watch History
-Location History
-Google Play Sound Search History
-YouTube “Not interested” feedback
-YouTube survey answers
-Google Place answers

 

 

Available data is YouTube watch and search data and depends on the non-core  YouTube service which must be enabled by the Admin
Timelines in Google Maps Available/User Editable Requires the non-core location history service which is disabled by default in G Suite for Education and must be enabled by the Admin
Google Dashboard Available/User Editable Available

Allows view, manage, export and delete data for many google services

Ads Settings
Ads Settings Available/User Editable Disabled and not possible to enable for G Suite for Education accounts. The user will see the following message when going to the settings page

“Ads Personalization is turned off for this Google Account – The option to personalize ads in Ads Settings is turned off for this account. That means that Google doesn’t use any information associated with this Google Account to target ads while you’re signed in to this account.”

Control your content
Download Your Data Available Requires the non-core Google Takeout service to be enabled by the G Suite Admin
Transfer your content Available Requires Google Takeout service , as well as an additional Takeout checkbox setting and requires external sharing to be enabled by the G Suite Admin in the settings for Google Drive
more info 
Assign an account trustee Available Not available for G Suite for Education accounts
Account Preferences
Payments
Payment Center Available Requires the non-core Google Payments service to be enabled by the G Suite Admin
Subscriptions Available Requires the non-core Google Payments service to be enabled by the G Suite Admin
Payment Methods Available Requires the non-core Google Payments service to be enabled by the G Suite Admin
Language & Input Tools
Language Available/User Editable Available/User Editable
Input Tools Available/User Editable Available/User Editable
Accessibility
Screen Reader Available/User Editable Available/User Editable
High Contrast Colors Available/User Editable Available/User Editable
Your Google Drive storage

Informational only, total storage in account

Available Available (Note that G Suite for Education accounts have unlimited storage)
Delete your account or services
Delete Products Available to delete Gmail, YouTube, Google +

Provides link to download data

Deleting Gmail is not an end-user option. Accounts can only be deleted or suspended by G Suite admin. User can delete profile data for YouTube, Google +. Deleted data is removed from Google systems-more detail is here

Provides link to download data

Google Search Advertising and Tracking

Another key difference between consumer Google accounts and G Suite for Education accounts is the data collection and use in Google Search for signed in users. The screenshot below shows a consumer account’s search results for the term “Lego”. The page shows two ads shown before the actual search results and a sidebar of results from Google’s shopping service.

By contrast, the following screenshot shows a G Suite for Education account’s search results for the term “Lego”. The results show no ads and the sidebar includes only the “info box” for the Lego company and no results from Google’s shopping service

 

 

Notes

1-Admins can enable this password recovery option see this. If the district is syncing passwords via GAPS or using SAML, the user may have similar capabilities

2-Users can opt-in to 2 step verification.  Admin can also require 2 step verification for specific accounts see here for details.

 

Methodology

G Suite Accounts: Testing was conducted using a 4 newly created accounts from a non-production G Suite for Education domain (each account had a variety of services enabled from only minimal Core G Suite services, not including hangouts or groups to an account with all core and non core services enabled and

Gmail Accounts: Testing was conducted with two accounts one newly created and one in active use for several years.

 

Google Adds Chrome Sync to gSuite for Education Core Services

Recently Google quietly made a change to include “Chrome Sync” in the list of “Core” tools in gSuite for Education. Chrome Sync provides the ability (when you sign in to Chrome or by default on a Chromebook), to sync Chrome data to your Google Account and to any other supported ChromeOS/browser that is signed in. Synced data includes chrome apps, autofill settings, bookmarks, chrome extensions, browser history, passwords, chrome settings, themes, wallpaper, open tabs and google payment data*

This change should provide official clarity as to how data in Chrome Sync is used, as described in the Education Privacy Notice.

This change also provides an opportunity for District g Suite Admins to remind users that they have the option to add an additional layer of privacy by setting a Chrome Sync passphrase. A sync passphrase encrypts all synced data at rest. If you set a passphrase, you can use Google’s cloud to store and sync your data without letting Google read it.

Users also have the ability to selectively disable syncing of some or all of elements that are synced.

The G Suite Services Summary page now includes the following text:

G Suite for Education” is an edition of G Suite comprised of the G Suite Core Services, excluding Google+ and Google Cloud Search. …. This edition also includes Classroom and Chrome Sync as G Suite Core Services.

  • Classroom” is a web-based service that allows End Users to create and participate in classroom groups. Using Classroom, students can view assignments, submit homework, and receive grades from teachers.
  • Chrome Sync” is a feature that allows End Users to synchronize bookmarks, history, passwords, and other settings across all the devices where they are signed in to Chrome.

And the G Suite for Education Core and Services Admin help page is updated to say:

G Suite Core Services are Gmail (including Inbox by Gmail), Calendar, Chrome Sync, Classroom, Contacts, Drive, Docs, Forms, Groups, Sheets, Sites, Slides, Talk/Hangouts and Vault.

Prior to this change, Google offered this statement, about the use of Chrome Sync data in response to a request for information from Sen. Al Franken.

Users who have Chrome Sync enabled (whether on a Chromebook or using the Chrome
browser) will have additional information about their browser settings stored in their Google Account, including browsing history, any saved apps, extensions, bookmarks, and passwords. ….. If any of this data is associated with a student’s GAFE account — which is the case when a student is logged into a Chromebook with Chrome Sync enabled with their GAFE account — we consider this data to be the student’s personal information and do not use it to target ads.

Google stated that it “collects, maintains, and uses information via Chrome Sync (in aggregated and anonymized form) for the purpose of improving Google products”. For context, this is comparable to similar language and use by Apple who states that …

“We may collect and store details of how you use our services, including search queries. This information may be used to improve the relevancy of results provided by our services”

And with Microsoft’s Cortana service, which states that

“Microsoft uses your voice data to improve Cortana’s understanding of how you speak to keep improving Cortana’s recognition and responses, and to improve other Microsoft products and services that use speech recognition and intent understanding”

 

*Google payment data is a non-core service, only available to users 13 and older. Schools are required to get parental permission if this is enabled for users 13-18.

 

Google Notifies K12 Admins of Upcoming Changes to enabled “Additional Google Services”

I have previously written about gSuite for Education and the number of non-core services that are enabled by default when a school sets up their domain. I have not had a chance to retest what services are still enabled by default when creating a new domain, but I did want to acknowledge that Google recently notified existing K12 admins that unless they opt out, Google will change their settings and turn off approximately 1/2 of the non-core services on August 1st, 2017. Admins can re-enable the services manually.

The list of services to be turned off appears to correspond with the list I noted in Jan. 2017 and is good partial step to helping K12 admins tighten down their domains for apps outside the core set of gSuite tools and it provides a end of school year reminder that schools need to be getting permission, and I would also add,  going back to parents to get permission for services that were turned on by default.

*************************************************************************************

YOUR ACTION NEEDED

Services settings changing for G Suite for Education on Aug 1, 2017

In addition to our core G Suite productivity tools like Gmail, Docs, and Classroom, Google makes some of our Additional consumer services available to our G Suite for Education users. These services are used by our G Suite for Education customers to support their educational missions. We want to ensure that other Google services that are not designed for students, such as advertising management services, are not accessible to these users without careful consideration from administrators and parents. You can read more about our commitment to privacy and security here.

To keep G Suite for Education focused on the right services for most schools, we will disable the set of Additional services below on <your domain’s> G Suite for Education account on Aug 1, 2017, unless you choose to control your users’ access to these services yourself below.

Note that you are receiving this message because you are either a K-12 school in our system or your domain has no school type in our system. In order to receive better-targeted communications in the future, please set your school type here. Learn more

Here are the services that will be disabled for your domain:

2017-06-06_14-39-40

Note that some of these services may already be disabled for your users. See your configuration.

If you choose to control services yourself and opt-out of having these services disabled automatically, your institution must ensure, for each of these services you choose to keep on, that:

  • you are enabling the service for educational purposes;
  • you are not enabling the service for any user under the age of 13 (learn more about using managing access for different users in our Help Center);
  • your organization has obtained parental consent for any users between 13 and 18 years old to use the service. Our Help Center has more information and resources for Getting consent for G Suite for Education.

Note that there might be other requirements in countries and communities around the world. Learn more.

You may choose to keep these services enabled for specific organizational unit, and disable them for others, depending on your needs. For new services that are added by Google in the future, please see the ‘New Products’ setting on the Company Profile page. Learn more

Choose what is right for you:

2017-06-06_14-25-41

 

Testing – New Google Search “Personal” Tab absent in gSuite for Education

This weekend Google rolled out a change to Google.com search to add a “personal” tab described by cmswire as…

“results come directly from your Google accounts. According to reports, personal ads may also appear in these results. The tab can be found under the ‘More’ option on the search page and surfaces everything related to a keyword in email messages, calendar events and photos.”

Recently I’ve been testing the differences between Consumer Google Accounts and gSuite for Education accounts, so I thought it would be good to check if this feature was rolled out to gSuite users.

Short answer, it is currently not. 

Google features often appear the consumer version first and move to gSuite but Google has to announced any plans to move the feature into gSuite for Education.

Here is my consumer gmail account, with the “personal” tab highlighted and the “more” menu shows videos, shopping, books and flights

consumer google search

Here is my gSuite for Education account, with  videos highlighted, no “personal” tab and the drop down only shows books and flights

gSuiteGoogle search

Tracking Google and Microsoft Adoption in Higher ED

Earlier this month, New York Times columnist Natasha Singer wrote How Google Took Over the Classroom, a detailed look at the rise of Google in primary and secondary education. (Also worth a listen is the NPR interview on All Sides with Ann Fisher).

The article did not address Google at the post-secondary level, but Joshua Kim of Inside Higher ED asked “I’ve been looking for recent data on the Google vs. Microsoft enterprise e-mail battle – but I can’t find anything recent. Can you help?”

Challenge Accepted.

I have a history (or a mild obsession) of tracking edtech. Back in 2010 and for a few years after, Forbes blogger Eric Lai and I tracked the growth of the iPad in K12, Higher Ed and the enterprise. I have been tracking the growth of Google Apps (now gSuite) and Office 365 in K12 and to a lesser extent Higher Ed since 2014.

Back in December, I posted a domain / DNS analysis of adoption in K12 for O365 and gSuite, so I thought it would be a good time to update the numbers for Higher ED.

The methodology is the same as I used for K12 districts, a scan of DNS records, looking for specific known markers in MX, TXT and other records. However, for Higher Ed the data is likely more accurate given that the root domains are well know (.EDU)

For this analysis, I pulled the US based listing from a list of EDU domains on GitHub. The list included only the root EDU domain, and individual colleges or campuses (sub-domains) may run different email systems than what is used on the primary domain but this approach of  using a large data set provides an overview of the adoption of Google and Microsoft email systems.

I scanned the DNS records of 2,276 US EDU domains and got the following results for domains that had DNS MX records that indicated they were routing mail directly through Google or Microsoft servers. The Google numbers are lower than I had expected.

Google MX Records  18.31%
Microsoft MX Records  40.84%

 

One result worth noting was that 30.96% of the sites returned DNS markers that were indicative of a domain that had started the process of verifying domain ownership with Google . Take together with the 18.31% of domains that are actively routing mail through Google, this would strongly indicate that  12.65% of root EDU domains had either started or were using Google and are now not using Google for mail. 

 

Google’s Response to gSuite Admins in Phishing Incident

[Updated: as Doug Levin notes, Google was warned about the potential of this problem in 2011]

On May 3rd, a small percentage (~.1%) of Google users were hit with a sophisticated phishing attack (it used at least 13 different application “clientIds”) . The phishing took the form of a link that directed users to an application  claiming to be “Google Docs” and routed users to Google’s login/permission pages (Oauth2) to grant access to gmail and contact scopes.

For districts using gSuite for Euducation, it was impressive to see how quickly the EDU user community jumped on this issue. AmplifiedIT crowd-sourced the collection of clientIds and posted remediation steps. Google shut down the applications within an hour and Admins of impacted domains received an email similar to the one below late on the evening of 5/4/17.

 


Dear G Suite Administrator,

On Wednesday, May 3, we identified, investigated, and resolved an email phishing campaign . This issue was addressed within approximately one hour from when Google became aware of it. Please note that we have already taken action to protect all users, and no further action is necessary. To assist you in understanding what happened and better educating your users on email security, we are sharing details on how the campaign worked and how we addressed it.

What happened:

The affected users received an email that appeared to be from a contact offering to share a Google doc. Clicking the link in the attacker’s email directed the user to the attacker’s application, which falsely claimed to be Google Docs and asked for access to the user’s account. If the user authorized the application, it accessed the user’s contacts for the purpose of sending the same message to those contacts. This access only retrieved contacts and sent the message onward—customer data such as the contents of emails and documents were not exposed.

Upon detecting this issue, we immediately responded with a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems.

We have taken the following steps to protect your users:

  • Disabled the offending Google Accounts that generated the phishing link
  • Revoked any access that the affected users authorized to the attacker
  • Disabled the malicious projects and apps that sought access

In addition, Google is taking multiple actions to combat this type of attack in the future such as updating our policies and enforcement on OAuth applications, updating our email filters to help prevent campaigns like this one, and augmenting the monitoring of suspiciously behaving third-party apps that request consent from our users.

As a general precautionary measure, you may choose to take the following actions regularly for your users:

We thank you for your continued business and support. If you have any questions, please let us know by contacting Google Support and referencing the issue number [removed].

Sincerely,

The G Suite Team